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IP ROUTER DEVICE HAVING A TCP TERMINATION FUNCTION AND 
A MEDIUM THEREOF 

Background of the Invention 
5 Field of the Invention 

Conventionally, the Internet was configured by 
wired networks typified by Ethernet. In recent years, 
however, networks configuring the Internet have been 
diversified, and an IP network using a cellular phone, 
10 a PHS, a wireless packet device, etc. has been widely 
used. To effectively use a given bandwidth in the 
Internet including wireless networks, an IP router with 
which an efficient transmission rate can be obtained 
in a connection between hosts in the case where networks 
15 having different natures such as wired and wireless are 
linked . 

The present invention relates to an IP router 
device having a function for linking different networks 
and for terminating a TCP connection relaying IP packets 
20 between networks in a computer network based on the 
Internet Protocol (IP) . 

Description of the Related Art 

In a wired network, an IP packet loss or delay 
25 occurs mainly due to a congestion within an IP router 
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which links networks. In the meantime, in a wireless 
network, data that is modulated into radio waves in the 
physical layer is not properly transmitted by being 
influenced by a state change caused by radio wave 
5 attenuation, interference, blocking by an object, etc. 
so that an IP, packet loss or delay occurs. 

Currently, the protocol called TCP (Transmission 
Control Protocol) is used as a standard for making a 
reliable data transmission in the Internet. 

10 However, as to TCP, it is known that a congestion 

occurring within a wired network is recognized as a main 
cause of a packet loss/delay, and an efficient 
transmission rate cannot be obtained in a wireless 
network unless the parameters and algorithms for 

15 controlling TCP are optimized for a wireless network. 

Considered as a solution to the above described 
problem is an application gateway which uses control 
parameters and algorithms, which are respectively 
suitable for TCP connections, by once terminating TCP 

20 connections in the TCP layer and by establishing 
respective TCP connections for networks of different 
natures, and provides an efficient transmission rate. 

Configuration of a conventional IP router device 
and that of a conventional TCP terminating device are 

25 respectively shown in Figs. 1 and 2. The IP router device 
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shown in Fig. 1 comprises network drivers 11a and lib, 
IP stacks 12a and 12b, and an IP forwarding 16. The IP 
router passes IP packets between networks as shown in 
Fig. 1. The header configuration of an IP packet, that 
5 of a TCP packet, and that of an ICMP packet are 
respectively shown in Figs. 3, 4, and 5. 

In the header of the IP packet, src-IP (SOURCE IP 
ADDRESS) indicating the IP address of a transmission 
source, and dst-IP (DESTINATION IP ADDRESS) indicating 

10 the IP address of a connection destination are described 
as shown in Fig. 3. In the header of the TCP packet, 
src-port number (SOURCE PORT) indicating the port number 
of a transmission source, and dst-port number 
(DESTINATION PORT) indicating the port number of a 

15 connection destination are described as shown in Fig. 
4. In the header of the ICMP packet, TYPE (type) and 
an IP header and first 64 bits of a datagram are 
described. 

The flow of the process for inputting an IP packet, 
20 which is performed by the IP stacks 12a and 12b of the 
above described conventional IP router device, is shown 
in Fig. 6, whereas the flow of the process for outputting 
an IP packet, which is performed by the IP stacks 12a 
and 12b of the IP router device, is shown in Fig. 7. 
25 In the input process, the IP stack determines whether 
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or not the dst-IP address of an IP packet is addressed 
to its local host as shown in Fig. 6. If the IP stack 
determines that the IP packet is addressed to the local 
host, it passes the packet to a TCP/UDP stack of its 
local host. If the IP stack determines that the IP packet 
is not addressed to the local host, it passes the packet 
to the output process via the IP forwarding. 

Additionally, in the output process, the IP stack 
searches a routing table with the dst-IP address or its 
subnetwork, and passes the IP packet to a network driver 
according to the routing table, as shown in Fig. 7. 

Since the IP router device only passes an IP packet 
between networks as described above, fundamentally, an 
end host is unconscious of the existence of the router. 
It is possible to make an IP packet uniquely reach 
between arbitrary hosts via this router device, and 
there is no change in the information of the src-IP 
address and the dst-IP address within the header of the 
IP packet. Additionally, even if a change occurs in the 
configuration of a router or the number of routers on 
an end-to-end path, there is no influence. 

Namely, one of the natures of the Internet is that 
each host has a globally unique IP address, a 
communication can be made from the host to an arbitrary 
host, and a communication can be made from the arbitrary 
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host to the corresponding host. This nature is called 
"end-to-end global connectivity guarantee". 

In the meantime, the conventional TCP terminating 
device (application gateway) is composed of network 
5 drivers 11a and lib, IP stacks 12a and 12b, TCP stacks 
13a and 13b, a stream transferring unit 14, and a 
database 20 for holding connection information. 

The flowchart of the stream transfer function of 
the conventional TCP terminating device (application 

10 gateway) is shown in Fig. 8. As shown in this figure, 
the stream transfer function waits for the link of a 
TCP connection as a server socket (step SI) , and 
establishes a TCP connection with a client (step S2) . 
Then, the stream transfer function obtains the IP 

15 address and the port number of the connection 
destination from the data within a stream (step S3), 
and establishes a TCP connection at the connection 
destination as a client socket (step S4) . 

Then, the stream transfer function determines 

20 whether or not the stream continues (step S5) . If the 
stream does not continue, the process is terminated. 
If the stream continues, the stream transfer function 
reads data the amount of which is equal to or smaller 
than a predetermined amount from the stream from the 

25 client (step S6) , and writes the data to the stream to 



the server (step S7) . 

The above described TCP terminating device 
(application gateway) has a problem such that the global 
connectivity guarantee cannot be made for the following 
reasons . 

(a) Many protocol-dependent application gateways 
make TCP termination only for a particular protocol. 
Therefore, an IP packet or a TCP stream does not flow 
with an unsupported application. 

(b) Since a gateway that does not store end-to-end 
information makes TCP termination, the host of the 
gateway is misidentif ied as an end host as opposed to 
a partner end host . Namely, the end hosts cannot identify 
their counterparts mutually. 

One of the important things to implement the TCP 
terminating device (application gateway) is that the 
information of a connection destination must be notified 
from a client host by some means or another. 

As a specific example, http handling web data 
supports a communication via an application gateway 
referred to as a proxy. With http, the information of 
the IP address or the port number of a connection 
destination can be written. 

However, since such a method is not supported by 
all of application protocols, it can be said that service 
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scalability is significantly low. 

In the meantime, there is a method using software 
(middleware) for a client host, which operates in 
coordination with an application gateway. 
5 This software is intended to direct all TCP 

connections toward an application gateway, and, 
therefore, its service scalability is significantly 
improved in comparison with a normal proxy. 

However, this software cannot cope with a protocol 
10 to be described below, according to which a connection 
is established in two stages, and a second connection 
is established in a reverse direction of a first 
connection . 

Taken as a specific example is the use of a data 
15 transfer application ftp by an application gateway. 

First of all, it is possible to establish a control 
session from a client to a server. However, attempts 
are unsuccessfully made to establish a data session, 
which makes a data transfer, from the server to the 
20 client. The reason why the first control session is 
established is that a stream flows in the direction from 
the client to the server. 

However, the end host viewed from the server of 
the control session is a gateway. Although the server 
25 attempts to establish the data session toward the 
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gateway, it fails in the attempts to establish the data 
session. This is because the gateway is not 
passive-open . 

As far as ftp is concerned, this problem can be 
5 avoided by using the passive mode of the client software . 
However, other protocols that establish a connection 
in two stages exist, and service scalability is still 
problematic if a possible future increase in such 
protocols is considered. 

10 As described above, reachability of an IP packet 

or a stream has a problem in an end-to-end connection 
on which a conventional TCP terminating device is 
arranged, and the end-to-end connectivity guarantee 
cannot be made. 

15 A summary of one of the problems of the 

conventional TCP terminating device, that is, 
non-storage of end-to-end information, is shown in Figs. 
10A and 10B. 

As shown in Fig. 10A, no change occurs in the 
20 information of the IP address and the port number within 
the IP packet header even if the packet passes through 
a normal IP router, as shown in Fig. 10A. 

However, if an IP packet passes through the 
conventional TCP terminating device (actually, after 
25 the IP packet is once reconfigured into a stream, it 
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is reassembled to a packet) . As shown in Fig. 10B, the 
IP address and the port number of the IP packet replace 
the IP address and the port number of a gateway as a 
new end host. 

5 Currently, many application gateways and NAT 

routers which perform the conversion between a private 
address and a global address provide, in order to avoid 
such a problem, the mechanism for respectively coping 
with each application protocol and for transmitting a 

10 TCP or a UDP packet from a server to a original client. 

However, also with other application protocols, 
not a few cases exist in which the IP address of a client 
is obtained from the first session, and a TCP connection 
is established from a server to the client or a UDP packet 

15 is transmitted based on the obtained information. 
Furthermore, because the above described mechanism has 
a problem such that some measures must be taken each 
time a new application or protocol appears, it can be 
said that this mechanism is lack of service scalability. 

20 

Summary of the Invention 

The present invention was developed in the above 
described background, and aims at implementing an IP 
router device having a function for terminating a TCP 
25 connection which guarantees global connectivity 



10 



important as one nature of the Internet while adopting 
the mechanism for terminating a TCP connection in order 
to make an efficient transmission in a TCP connection. 

A router device according to the present invention 
5 is a router device having a function for linking a 
plurality of different IP networks and terminating a 
TCP connection. This router device comprises: a first 
converting unit rewriting part of the IP address 
information and the port number information within a 

10 plurality of IP packets according to a predetermined 
rule when the plurality of IP packets to be relayed, 
which form a TCP connection, pass through the router 
device; and a unit extracting information indicating 
an original connection destination of the TCP connection, 

15 generating a TCP connection from the router to the 
connection destination, and linking the two TCP 
connections with streams, and a second converting unit 
rewriting part of the IP address information and the 
port number information within the plurality of IP 

20 packets forming the TCP connection according to a 
predetermined rule for a TCP connection from the router 
to the connection destination, wherein the first and 
the second converting units handle the above described 
two TCP connections as a pair, assigns a unique 

25 identification number to the TCP connection pair, and 
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manages the two TCP connections according to the unique 
identification number stored in the database. 

According to the present invention, an IP router 
device guaranteeing the global connectivity which is 
5 important as one nature of the Internet while adopting 
the mechanism for terminating a TCP connection is 
realized to make an efficient transmission in the TCP 
connection straddling networks of different natures. 

10 Brief Description of the Drawings 

Fig. 1 shows the configuration of a conventional 
IP router device; 

Fig. 2 shows the configuration of a conventional 
TCP terminating device; 
15 Fig. 3 shows the header configuration of an IP 

packet ; 

Fig. 4 shows the header configuration of a TCP 
packet ; 

Fig. 5 shows the header configuration of an ICMP 
2 0 packet; 

Fig. 6 shows the flow of an IP packet input process 
performed by the conventional IP router device; 

Fig. 7 shows the flow of an IP packet output 
process performed by the conventional IP router device; 
25 Fig. 8 is a flowchart showing a stream transfer 
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function of the conventional TCP terminating device; 

Fig. 9 explains the outline of the present 
invention; 

Figs. 10A through IOC explain the information 
5 change of an IP packet after passing through a router 
and global connectivity; 

Fig. 11 exemplifies the configuration of a device 
to which the present invention is applied; 

Fig. 12 shows the configuration of a router device 
10 according to a preferred embodiment of the present 
invention; 

Fig. 13 explains conversion rules for information 
within an IP packet in the router device according to 
the preferred embodiment of the present invention; 
15 Fig. 14 shows an input process of an IP stack 

according to the preferred embodiment of the present 
invention; 

Fig. 15 shows an output process of the IP stack 
according to the preferred embodiment of the present 
2 0 invention; 

Fig. 16 shows the flow of an entry deletion process 
in a management database according to the preferred 
embodiment of the present invention; 

Fig. 17 shows the process flow of a converting 
25 function 1 according to the preferred embodiment of the 
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present invention; 

Fig. 18 shows the process flow of a converting 
function 2 according to the preferred embodiment of the 
present invention; 
5 Fig. 19 shows the process flow of a converting 

function 3 according to the preferred embodiment of the 
present invention; 

Fig. 20 shows the process flow of a converting 
function 4 according to the preferred embodiment of the 
10 present invention; 

Fig. 21 shows the process flow of a stream transfer 
function according to the preferred embodiment of the 
present invention; 

Fig. 22 explains IP packet generation and payload 
15 information reversing; and 

Fig. 23 shows the flow of an ICMP packet conversion 
process according to the preferred embodiment of the 
present invention. 

2 0 Description of the Preferred Embodiments 

Fig. 9 explains the outline of the present 
invention. In this figure, 11a and lib indicate network 
drivers, 12a and 12b indicate IP stacks, 13a and 13b 
indicate TCP stacks, 14 indicates a stream transferring 
25 unit, 15 indicates a TCP connection management database, 
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and 16 indicates an IP forwarding. 

Configuration of the fundamental portion of an IP 
router device according to the present invention is 
similar to that of a conventional application gateway. 
5 However, according to the present invention, the 
following points are added and modified in contrast to 
the conventional application gateway shown in Fig. 2. 

(a) The point that units converting the information 
within a TCP/IP packet header (converting functions 1 

10 through 4 shown in Fig. 9) in the IP stacks 12a and 12b, 
and a database for these functions (a TCP connection 
management database 15 shown in Fig. 9) are arranged. 

(b) The point that a function for extracting the IP 
address and the port number of a TCP connection 

15 destination is arranged in the stream transferring unit 
14 . 

The TCP/IP packet header information converting 
functions 1 through 4 exist respectively as the 
processes for input and output packets. These functions 

20 operate individually for the network drivers (network 
interfaces) 11a and lib. Note that, however, the 
converting functions 1 through 4 cooperate with one 
another via the shared TCP connection management 
database 15, so that the processes are performed 

25 according to a unique conversion rule for one TCP 
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connection . 

The stream transferring unit 14 has the function 
for extracting the address and the port number of a TCP 
connection destination based on the information of a 
5 TCP connection with a client, unlike the conventional 
application gateway. 

As shown in Fig. 9, the present invention 
overcomes the above described problems as follows. 
(1) A router device that has a function for 

10 terminating a TCP connection and links a plurality of 
different IP networks is made to comprise: first 
converting units (conversion functions 1 and 2 shown 
in Fig. 9) rewriting part of the IP address information 
and the port number information within a plurality of 

15 IP packets according to a predetermined rule when the 
plurality of IP packets to be relayed, which form a TCP 
connection, pass through the router device; a stream 
transfer 14 in Fig. 9 extracting the information 
indicating an original connection destination of the 

20 TCP connection, generating a TCP connection from the 
router to the connection destination, and linking the 
two TCP connections with a stream; and second converting 
units (conversion functions 3 and 4) rewriting part of 
the IP address information and the port number 

25 information within a plurality of IP packets forming 
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the TCP connection to the original connection 
destination, wherein the first and the second converting 
units handle the above described two TCP connections 
as a pair, store information needed for rewriting, which 
5 is related with an identification number, (entry or item 
of Fig. 13) , by assigning a unique identification number 
to the pair, and manages the two TCP connections with 
the unique identification number stored in the database 
15. 

10 (2) In the above described (1), the first and the 
second converting units generate, delete, or update the 
information of IP addresses or TCP port numbers obtained 
from the database using an identification number as a 
retrieval key, stored in the database upon receiving 

15 the TCP connection termination notification from the 
TCP stack. 

(3) In the above described (1) and (2), the first and 
the second converting units do not rewrite the 
information within IP packets other than a TCP packet, 

20 and route the packets to a predetermined network. 

(4) In the above described (1) , (2) , and (3) , the first 
and the second converting units do not rewrite the 
information within IP packets of a new TCP connection 
which exceeds a predetermined number of connections, 

25 and route the packets to a predetermined network. 
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(5) In the above described (1) through (4), the first 
and the second converting units rewrite the IP address 
information and the port number information, and part 
of the TCP/IP header information included in packet data 
5 for an ICMP packet which has header information of a 
predetermined type therein. 

The router device may be configured in a way such 
that the above described first and second converting 
units and the unit linking connections with a stream 
10 assign one identification number to a TCP connection 
pair, and manage a plurality of TCP connection pairs. 
As a result, a plurality of TCP connections can be 
supported. 

Packet information before and after a 
15 conventional IP router device, an IP router device 
according to the present invention, and a conventional 
application gateway are shown in Figs. 10A through IOC. 

Fig. 10A shows the information of the IP address 
and the port number within a packet header before and 
20 after the packet passes through the above described 
conventional IP router. This figure illustrates the 
characteristic such that no change occurs in the address 
and the port number information even if the packet passes 
through the router. This means the above described 
25 global connectivity guarantee. 
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Fig. 10B shows the information of an IP address 
and a port number within a packet header before and after 
the packet passes through the above described 
conventional application gateway. Here, the 
5 information within the packet header is proved to change 
at the application gateway as a boundary. Accordingly, 
the global connectivity cannot be guaranteed. 

According to the present invention, no change 
occurs in the information of an IP address and a port 

10 number within a packet header although a TCP connection 
is terminated. Accordingly, both of end hosts can 
implement a TCP connection in exactly the same manner 
as in the conventional IP router. Consequently, the 
global connectivity is guaranteed. 

15 Fig. 11 exemplifies the configuration where the 

present invention is implemented as a device. 

Normally, software for implementing the functions 
of the present invention is stored in a main storage 
device 102 or an auxiliary storage device 103 in a 

20 general-purpose computer, and the processes according 
to the present invention are executed by a CPU 101. The 
device shown in Fig. 11 comprises two or more network 
interfaces 104, to which different networks are linked. 
As a network interface, not only Ethernet but also PPP 

25 on a serial line, etc. are available. 
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The configuration of an IP router device according 
to a preferred embodiment of the present invention is 
shown in Fig. 12. 

The IP router device according to this preferred 
5 embodiment is mainly composed of two converting units 
converting the information within a packet header by 
managing the information of a TCP connection within an 
IP stack, and a unit linking two TCP connections on a 
stream level in the application layer. 

10 In Fig. 12, host 2 and host 3 indicate hosts. Here, 

as shown in this figure, it is assumed that the IP address 
of a host 2 is al, the (dynamically assigned) client 
port number of an application is pi, the IP address of 
a host 3 is a4, and the server port number (fixed value 

15 for each application server) of an application server 
is p4 . 

Router device 1 indicates the IP router device 
according to this preferred embodiment. As shown in Fig. 
12, it is assumed that the IP addresses of the IP router 
20 are a2 and a3, the server port number (fixed value) of 
the stream transfer software is p2, and the (dynamically 
assigned) client port number of the stream transfer 
software is p3. 

The IP router device 1 comprises network drivers 
25 11a and lib, IP stacks 12a and 12b, TCP stacks 13a and 
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13b, and a stream transferring unit 14 for linking two 
TCP connections with streams. The stream transferring 
unit 14 has a function for extracting the IP address 
of the original connection destination of a TCP 
5 connection. 

15 indicates a database for managing TCP 
connections. The IP stacks 12a and 12b convert a packet 
header in cooperation with the database 15. The IP 
forwarding 16 routes an IP packet, which is not regarded 
10 as a conversion target by the IP stack, in a similar 
manner as in the conventional router device shown in 
Fig. l f as will be described later. 

Fig. 13 shows the functions for converting a 
packet header within the IP stack and their rules, and 
15 the cooperation between the TCP connection management 
database and the conversion functions. 

In this figure, "al" within "src al, pi" indicates 
the IP address (src-IP) of a transmission source and 
"pi" indicates the port number (src-port number) of the 
20 transmission source, whereas "a4" within "dst a4, p4" 
indicates the IP address (dst-IP) of a connection 
destination and "p4" indicates the port number (dst-port 
number) of the connection destination. This figure also 
illustrates that "src al, pi" and "dst a4, p4" are 
25 converted from "previous" to "new" respectively with 



21 



the conversion functions 1 through 4. Furthermore, "p2" 
indicates the server port number (fixed value) of the 
stream transfer software as described above, and "pN" 
indicates the identification number of a TCP connection, 
5 which is uniquely assigned to each connection. 

The conversion rules shown in Fig. 13 indicate 
that no change occurs in the packet information (the 
IP address and the port number within a header) explained 
by referencing Fig. 10 when the router is externally 
10 viewed, and also indicate that and the stream transfer 
function can handle two terminated TCP connections when 
the router is viewed from its application layer. A series 
of the conversion functions is composed of the following 
processes . 

15 (1) A process for an IP packet flowing from the network 
drivers 11a and lib to the IP stacks 12a and 12b (the 
flow shown in Fig. 14) 

(2) A process for an IP packet flowing from the IP 
stacks 12a and 12b to the network drivers 11a and lib 

20 (the flow shown in Fig. 15) 

(3) An entry deletion process of the TCP connection 
management database 15 (abbreviated to a management 
database hereinafter) (the flow shown in Fig. 16) 

In the IP packet processes in the above described 
25 (1) and (2), the IP stacks 12a and 12b convert the IP 
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address and the port number within the header of an IP 
packet with the conversion functions 1 through 4 shown 
in Fig. 13 (the flows shown in Figs. 17 through 20). 

It should be noted that the IP and the TCP stacks 
5 within the router are respectively separated into two 
for the sake of convenience in Fig. 12. However, 
according to this preferred embodiment, the IP and the 
TCP stacks are shared even if a plurality of interfaces 
exist. Accordingly, the above described packet process 

10 (1) includes the conversion functions 1 and 4. Similarly, 
the above described packet process (2) includes the 
conversion functions 2 and 3. 

As shown in Fig. 6, the conventional IP router 
judges the process for a flowing-in IP packet by 

15 determining whether or not the dst-IP address is the 
local host (router itself) , and outputs an IP packet 
the dst-IP address of which is not the local host to 
a network via the IP forwarding (IP routing) . 

According to this preferred embodiment, TCP 

20 termination is made instead of this IP routing. If an 
IP packet the dst-IP address of which is not the local 
host is a TCP or an ICMP packet, the packet is made to 
pass through the conversion function 4 or 1 (the flow 
of Fig. 14 to be described later) . With the respective 

25 conversion functions, the IP address and the port number 
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of a packet registered to the TCP connection management 
database 15 as a target are converted as shown in Fig. 
13, and the packet is passed to the TCP stack 13a or 
13b within the router. A packet unregistered to the 
5 management database 15 is not regarded as a conversion 
target . 

As will be described later, the conversion 
function 1 adds an entry to the database if an IP packet 
that is not regarded as a conversion target has an SYN 

10 flag (communication establishment request flag) of TCP, 
and if attempts are made to establish a new TCP 
connection. The conversion function 1 must be executed 
after the conversion function 4, in order to implement 
this new entry addition function. 

15 The IP packet that is not regarded as a conversion 

target finally, that is, a UDP packet or a TCP packet 
which does not comply with some restriction or another 
(a connection number restriction to be described later, 
etc.) is routed via the IP forwarding 16, similar to 

20 the conventional IP router. 

With the process for a flowing-out IP packet, the 
conventional IP router searches a routing table for a 
network with a dst-IP address as shown in Fig. 7, and 
outputs the packet to the searched network. 

25 According to this preferred embodiment, a packet 
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other than a packet that is transmitted via the IP 

forwarding 16, that is, an IP packet passed from the 

application layer to the TCP/ICMP layer as a target is 

passed to the conversion function 2 or 3, which converts 
5 its IP address and port number as shown in Fig. 15. The 

packet is processed in a similar manner as in the 

conventional router after being converted, and output 

to the network. 

The TCP connection management database 15 manages 
10 a TCP connection from its generation to its termination, 

and assigns a unique identification number (pN shown 

in Fig. 13) to each connection. 

An entry managed by the management database 15 is 

composed of 5 items A through E as shown in Fig. 13. 
15 Each entry is newly generated the same time a new CP 

connection is detected by the conversion function 1, 

and assigned the items A through D. 

With the conversion function 3, the item E is 

assigned as shown in Fig. 13. In this way, the conversion 
20 functions 1 through 4 can rewrite the IP address and 

the port number within a packet header in correspondence 

with a database entry. 

An entry in the management database 15 is deleted 

by the TCP stack in synchronization with the closing 
25 of a TCP connection as shown in the flow of Fig. 16 to 
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be described later. Namely, when a TCP connection is 
closed, the TCP stack calls a connection termination 
process routine within the management database 15 with 
the identification number of the TCP connection. This 
5 process routine searches a corresponding entry with the 
identification number, and deletes the entry from the 
database . 

An entry for managing a connection within the 
management database 15 is newly generated when SYN 

10 (communication establishment request) of a TCP packet 
reaches, and deleted when being called from the closing 
process of the TCP stack as described above. This 
eliminates the need for tracking an entire TCP sequence 
for the existence of a connection [SYN (communication 

15 establishment request) , FIN (termination request) , and 
RST (forcible termination) ] as in the operations of the 
TCP stack, thereby greatly simplifying the connection 
management process. 

The stream transferring unit 14 makes a stream 

20 transfer as shown in the flow of Fig. 21 to be described 
later. 

The difference between the typical stream 
transfer function for use in the conventional 
application gateway shown in Fig. 8 and the stream 
25 transfer function according to this preferred 
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embodiment exists in a method obtaining the IP address 
and the port number of a server to be connected. 

With the conventional application gateway, the 
information of the IP address and the port number are 
5 normally presented within a stream from a client. By 
way of example, for an http proxy which is one type of 
an application gateway, host information for obtaining 
an IP address "www.nic.ad.jp" and a port number "80" 
are written in its stream as follows. 

10 GET/HTTP/1.0 (at the time of an end-to-end 

communication) 

GET http: //www.nic.ad. jp:80/ HTTP/1.0 (when the 
proxy is used) 

In contrast, according to this preferred 

15 embodiment, the information of an original connection 
destination ("dst a4" in Fig. 13) remains within an IP 
packet after the conversion function 1 as shown in Fig. 
13. Therefore, the stream transfer function can obtain 
the IP address of the server to be connected by using 

20 a function for obtaining the connection destination 
information of a socket. 

Since the port number is rewritten to the server 
port ("p2" in Fig. 13) of the server socket of the stream 
transfer function by the conversion function 1, the 

25 original value cannot be obtained from destination 
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information of a socket with the stream transfer 
function. However, the identification number (pN in Fig. 
13) of a TCP connection is set in the src-port number 
of the socket by the conversion function 1 as shown in 
5 Fig. 13. Therefore, this is used as the port number of 
the TCP connection to the server. 

The information of the port number is rewritten 
to the port number ("p4" in Fig. 13) of the server being 
the original connection destination when a TCP packet 

10 passes through the conversion function 3, as shown in 
Fig. 13. With the conversion function 3, not only the 
dst-port number but also the src-IP address and the 
src-port number are rewritten. Therefore, even if the 
stream transfer function uses a client socket that 

15 assigned a dynamic port number, the original IP address 
and the port number, which are assigned by the original 
client, can be viewed from the server in which the client 
is to be accommodated. 

The above described process is explained by 

20 referencing the flowcharts shown in Figs. 14 through 
21. 

Fig. 14 shows the IP packet input process 
performed by the IP stack in the above described (1) . 

When an IP packet flows from the network driver 
25 to the IP stack, the IP stack determines whether or not 
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the dst-IP address is its local host (step SI) . If the 
dst-IP address is its local host, the IP stack passes 
the packet to the TCP/IP stack of the local host (step 
S2) . Here, the process is terminated. If the dst-IP 
5 address is not the local host, the IP stack determines 
whether the packet is either a TCP or an ICMP packet 
(step S3) . If the packet is nether a TCP nor an ICMP 
packet, the IP stack passes the packet to the IP packet 
output process via the IP forwarding 16. 

10 If the IP packet is either a TCP or an ICMP packet, 

the process proceeds to step S5 where the IP address 
and the port number within the TCP/IP packet are 
converted with the conversion function 4 (the flow of 
Fig. 20 to be described later) , for example, as shown 

15 in the conversion function 4 of Fig. 13. Then, it is 
determined whether or not the IP address and the port 
number are converted (step S6) . If it is determined that 
the IP address and the port number are converted, the 
packet is passed to the TCP/IP stack of the local host 

20 (step S2). Here, the process is terminated. 

If it is determined that the IP address and the 
port number are not converted, the IP address and the 
port number within the TCP/IP packet are converted with 
the conversion function 1 (the flow of Fig. 17), for 

25 example, as shown in the conversion function 1 of Fig. 
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13. Then, it is determined whether or not the IP address 
and the port number are converted (step S8) . If the IP 
address and the port number are not converted, the packet 
is passed to the IP packet output process via the IP 
5 forwarding 16 (step S4) . If the IP address and the port 
number are converted, the packet is passed to the TCP/IP 
stack of the local host (step S2) . Here, the process 
is terminated. 

Fig. 15 shows the IP packet output process 

10 performed by the IP stack in the above described (2) . 

When an IP packet flows into the IP stack, the IP 
stack determines whether or not the packet is reached 
via the IP forwarding 16 (step SI) . If the IP packet 
is reached via the IP forwarding 16, the process proceeds 

15 to step S6 where the IP stack searches a routing table 
with the dst-IP address or its subnetwork (step S6) , 
and passes the IP packet to the network driver according 
to the routing table. 

If the IP packet is not reached via the IP 

20 forwarding 16, the IP stack determines whether the 
packet is either a TCP or an ICMP packet (step s2) . If 
the packet is neither a TCP nor an ICMP packet, the 
process proceeds to step S6 where the above described 
process is performed. 

25 If the IP packet is either a TCP or an ICMP packet, 
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the IP address and the port number within the TCP/IP 
packet are converted with the conversion function 2 (the 
flow shown in Fig. 18), for example, as shown in the 
conversion function 2 of Fig. 13 (step S3) . Then, it 
5 is determined whether or not the IP address and the port 
number are converted (step S4) . If the IP address and 
the port number are converted, the process proceeds to 
step S6. If the IP address and the port number are not 
converted with the conversion function 2, the IP address 

10 and the port number within the TCP/IP packet are 
converted with the conversion function 3 (the flow of 
Fig. 19) (step S5) . The process then proceeds to step 
S6 where the routing table is searched with the dst-IP 
address or its subnetwork (step S6), and the IP packet 

15 is passed to the network driver according to the routing 
table . 

Fig. 16 shows the entry deletion process in the 
management database 15 in the above described (3). 

Upon termination of a connection within the TCP 
20 stack, the connection termination process within the 
TCP stack notifies the management database 15 that the 
connection is terminated (step SI) . As a result, the 
connection termination process within the management 
database 15 is called. The connection termination 
25 process searches the database for a corresponding entry 
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with the identification number (the above described 
"pN") of the TCP connection (step S3), and deletes the 
entry from the database (step S4). 

In the meantime, the connection termination 
5 process within the TCP stack deletes the TCP control 
block (step S2) . 

Fig. 17 shows the process performed by the above 
described conversion function 1. The src-IP address, 
the src-port number, the dst-IP address, and the 

10 dst-port number within a TCP/IP packet flowing from the 
network driver into the IP stack are converted with the 
conversion function 1 as follows. 

First of all, in step SI, entries within the 
management database 15 are searched, and it is 

15 determined whether or not an entry including the src-IP 
address within the TCP/IP packet, which matches the IP 
address of the item A (see Fig. 13) within the management 
database 15, the src-port number which matches the port 
number of the item A, the dst-IP address which matches 

20 the IP address of the item B, and the dst-port number 
which matches the port number of the item B, exists. 

If the above described entry does not exist in the 
management database 15, the process proceeds from step 
S2 to step S3 where it is determined whether or not a 

25 connection to be processed complies with a restriction 



32 



on the number of connections. If the connection to be 
processed does not comply with the restriction on the 
number of connections, the process is terminated. In 
this case, the packet is passed to the IP packet output 
5 process via the IP forwarding 16. 

If the connection to be processed complies with 
the restriction on the number of connections, as to 
generation of entries, first the number of connections 
is checked, then step S3a is conducted to check if 

10 establishment of TCP connection is required. If the 
establishment of TCP connection is required, process 
goes to step S4, otherwise process terminates, thereby 
TCP connection generation by TCP stack is synchronized 
with generation of entries for address rewriting. In 

15 step S4, a new entry is generated in the management 
database 15, and the src-IP address and the src-port 
number are registered to the item A within the above 
described entry (step S5) . Besides, the dst-IP address 
and the dst-port number are registered to the item B 

20 within the entry (step S6) . For example, in Fig. 13, 
"al, pi" and M a4, p4" are respectively registered to 
the items A and B. 

Additionally, duplicates of the items A and B are 
registered to the IP addresses of the items C and D within 

25 the entry respectively. Furthermore, the 
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identification number of the TCP connection is 
registered to the port number (step S7) . For example, 
in Fig. 13, "pN" is registered to the port numbers of 
the items C and D. 
5 Then, the port number of the item C is set in the 

src-port number within the TCP/IP packet (step S8) , and 
the server port number of the stream transfer software 
is set in the dst-port number within the TCP/IP packet 
(step S9) . Then, checksum of the IP packet is 
10 recalculated (step S10) , and the process is terminated. 

Or, if it is determined that the entry satisfying 
the condition of step SI exists in step S2, the process 
proceeds to step S8. The operations in steps S8 to S10 
are repeated. 

15 With the above described process, for example, in 

Fig. 13, "al" and "pN" are respectively in the src-IP 
address and the src-port number, whereas "a4" and "p2" 
are respectively set in the dst-IP address and the 
dst-port number, as shown in "new" of the conversion 

20 function 1 shown in Fig. 13. 

Fig. 18 shows the process performed by the above 
described conversion function 2. The src-IP address, 
the src-port number, the dst-IP address, and the 
dst-port number within a TCP/IP packet flowing from the 

25 IP stack to the network driver are converted with the 
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conversion function 2 as follows. 

First of all, in step Si, entries in the management 
database 15 are searched, and it is determined whether 
or not an entry including the dst-IP address within a 
5 TCP/IP packet which matches the IP address of the item 
C within the management database 15, and the dst-port 
number which matches the port number of the item C, 
exists ( step S2 ) . 

If the above described entry does not exist in the 

10 management database 15, the process is terminated. If 
the entry exists, the process proceeds from step S2 to 
step S3 where the port number of the item B is set in 
the src-port number within the TCP/IP packet, and the 
port number of the item A is set in the dst-port number 

15 within the TCP/IP packet (step S4) . Then, checksum of 
the IP packet is recalculated (step S5) , and the process 
is terminated. 

With the above described process, for example, as 
shown in "new" of the conversion function 2 of Fig. 13, 

20 "a4" and "p4" are respectively set in the src-IP address 
and the src-port number, whereas "al" and "pi" are 
respectively set in the dst-IP address and the dst-port 
number. 

Fig. 19 shows the process performed by the above 
25 described conversion function 3. The src-IP address, 
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the src-port number, the dst-IP address, and the 
dst-port number within a TCP/IP packet flowing from the 
IP stack to the network driver are converted with the 
conversion function 3 as follows. 
5 First of all, in step SI, entries within the 

management database 15 are searched, and it is 
determined whether or not an entry including the dst-IP 
address within the TCP/IP packet which matches the IP 
address in the item D within the management database 

10 15, and the dst-port number which matches the port number 
of the item D, exists. 

If the above described entry does not exist in the 
management database 15, the process is terminated. If 
the entry exists, the process proceeds from step S2 to 

15 step S3 where the IP address of the item A is set in 
the src-IP address within the TCP/IP packet (step S3) . 
Then, the port number of the item A is set in the src-port 
number within the TCP/IP packet (step S4) , and the port 
number of the item B is set in the dst-port number within 

20 the TCP/IP packet (step S5) . Then, the checksum of the 
IP packet is recalculated (step S6) . 

Next, it is determined whether or not the above 
described entry has been registered to the item E (step 
S7) . If the entry has not been registered, the src-IP 

25 address and the src-port number are registered to the 
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item E of the entry (step S8), and the process is 
terminated. 

With the above described process, for example, as 
shown in "new" of the conversion function 3 shown in 
5 Fig. 13, "al" and "pi" are respectively set in the src-IP 
address and the src-port number, whereas "a4" and "p4" 
are respectively set in the dst-IP address and the 
dst-port number. Additionally, "a3, p3" is registered 
to the item E of the management database 15. 
10 Fig. 20 shows the process performed by the above 

described conversion function 4. The src-IP address, 
the src-port number, the dst-IP address, and the 
dst-port number within a TCP/IP packet flowing from the 
network driver to the IP stack are converted with the 
15 conversion function 4 as follows. 

First of all, in step SI, entries in the management 
database 15 are searched, and it is determined whether 
or not an entry including the src-IP address within the 
TCP/IP packet which matches the IP address in the item 
20 B within the management database 15, the src-port number 
which matches the port number of the item B, the dst-IP 
address which matches the IP address of the item A, and 
the dst-port number which matches the port number of 
the item A, exists. 
25 If the above described entry does not exist in the 
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management database 15, the process is terminated. If 
the entry exists, the process proceeds from step S2 to 
step S3 where the port number of the item D is set in 
the src-port number within the TCP/IP packet (step S3) . 
5 Then, the IP address of the item E is set in the dst-IP 
address within the TCP/IP packet (step S4) , and the port 
number of the item E is set in the dst-port number within 
the TCP/IP packet (step S5) . Then, the checksum of the 
IP packet is recalculated (step S6) , and the process 

10 is terminated. 

With the above described process, for example, as 
shown in "new" of the conversion function 4 in Fig. 13, 
"a4" and "pN" are respectively set in the src-IP address 
and the src-port number, whereas "a3" and "p3" are 

15 respectively set in the dst-IP address and the dst-port 
number . 

Fig. 21 shows the process flow of the above 
described stream transfer function. 

The stream transfer function according to this 
20 preferred embodiment is similar to the conventional 
stream transfer function shown in Fig. 8. As described 
above, the stream transfer function according to this 
preferred embodiment obtains the IP address of the 
server to be connected by using the function for 
25 obtaining the connection destination information of a 
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socket . 

Namely, as shown in the flow of Fig. 21, the stream 
transfer function waits for the link of a TCP connection 
as a server socket (step SI) , and establishes the TCP 
5 connection with a client (step S2) . Then, the stream 
transfer function obtains the cist-IP address and the 
src-port information from the TCP connection 
information between the client and the router (step S3) , 
and establishes the TCP connection at the connection 

10 destination as a client socket (step S4). 

Then, the stream transfer function determines 
whether or not the stream continues (step S5) . If the 
stream does not continue, the process is terminated. 
If the stream continues, the stream transfer function 

15 reads data the amount of which is equal to or smaller 
than a predetermined amount from the stream to the client 
(step S6) , and writes the data to the stream from the 
server . 

The above provided explanation refers to the 
20 preferred embodiment for fundamentally implementing a 
single end-to-end TCP connection. However, a plurality 
of TCP connections can be supported by managing a 
plurality of entries in the database and by uniquely 
assigning an identification number assigned to a TCP 
25 connection to TCP connections the number of which 



complies with a restriction on the number of managed 
TCP connections. 

The'identif ication number of a TCP connection is 
incremented by 1 from its initial value (such as 1024, 
5 etc.). If this number exceeds the range of the number 
of managed TCP connections, it is reset to an initial 
value when reaching a predetermined number. If the 
identification number to be used is already in use at 
this time, it is further incremented by 1. 

10 With the conventional application gateway, packet 

routing in the IP layer is not performed. Accordingly, 
dedicated processes are required for IP packets such 
as UDP, ICMP packets, etc. other than a TCP packet. The 
router device according to the present invention 

15 comprises the mechanism for passing only a TCP packet 
(the mechanism for transmitting an ICMP packet will be 
described later) to the TCP layer within the router. 
Therefore, the other IP packets are routed similar to 
the conventional IP router. Accordingly, the global 

20 connectivity is guaranteed for a connection other than 
a TCP connection. 

Additionally, the conventional application 
gateway requires a buffer for controlling TCP. Therefore, 
as the number of connections grows, a used memory amount 

25 increases. Since this is larger than the used memory 
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amount of normal IP routing, an unlimited number of TCP 
terminations leads to much consumption of system memory . 
As a result, a disadvantage that the price of the device 
is increased is caused. 
5 With the router device according to this preferred 

embodiment, the number of connections is managed for 
each src-IP address in the database, as shown in the 
conversion function 1 that is explained by referencing 
Fig. 17. When attempts are made to generate an entry 

10 for a new connection, the comparison between a 
predetermined restriction number and the number of 
currently managed connections is made. If the number 
of currently managed connections exceeds the 
restriction number, a new entry is not generated. All 

15 of IP packets thereafter are to be forwarded in the IP 
layer by the similar manner to the conventional router. 

This achieves the effect of preventing the system 
performance from being degraded or stopped with a 
temporary or steady increase in the number of 

20 connections. Furthermore, the memory amount or the CPU 
performance required to design the device can be 
stipulated . 

In this preferred embodiment, also a 
predetermined ICMP packet is terminated within the 
25 router device according to this preferred embodiment. 
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Here, the predetermined ICMP packet is a packet 
including a TCP header in its data portion. To be more 
specific, ICMP header types 3 through 5, 11 and 12 are 
targeted as shown in Fig. 5. 
5 Namely, the ICMP packet has a packet header shown 

in Fig. 5, stores an IP header and its upper layer (such 
as TCP layer, etc.) header in its data portion, and 
transmits these information. If an error occurs when 
a packet passes through the router device according to 

10 this preferred embodiment from a host A and reaches a 
different router or a host at an end point, the error 
is notified to a packet transmission host with an ICMP 
packet in some cases. 

At that time, part of the IP packet that causes 

15 the error is directly inserted in the data portion of 
the ICMP packet. An error occurring in an IP packet 
configuring a TCP connection must be notified to the 
host which actually terminates the TCP connection (here, 
the router device according to this preferred 

20 embodiment) . 

The reason is that the information of a sequence 
number included in the TCP header that is inserted in 
the ICMP data portion is different in the two TCP 
connections split by the router device according to this 

25 preferred embodiment, and an information inconsistency 
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arises due to the notification with an ICMP packet. 

However, since the router device according to this 
preferred embodiment performs the operation for 
guaranteeing the global connectivity for the hosts at 
5 both ends, the host which generates an ICMP packet (or 
a router device) attempts to transmit the packet to the 
host A shown in Fig. 22. 

Therefore, according to the present invention, 
not only a TCP connection but also a predetermined ICMP 

10 packet is terminated within the router device according 
to the present invention. 

To terminate the ICMP packet (that is, to perform 
header conversion) , an entry search using a connection 
is required similar to a normal ICMP packet. Note that, 

15 however, the proceeding direction of the ICMP packet 
and that of the TCP packet included in the data portion 
of the ICPM packet are reverse as shown in Fig. 22. 
Therefore, a search and a conversion must be performed 
after the src and dst information within the IP and the 

20 TCP headers in the data portion are reversed. 

These information are restored to their originals 
after being converted. During this conversion, also the 
dst-IP address within the header of the IP packet 
included in the ICMP packet is converted similar to the 

25 dst-IP address within the IP header included in the ICMP 
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data portion after being reversed. 

The process for an ICMP packet is shown in Fig. 

23. 

In this figure, contents of the src and the dst 
5 information of the IP and the TCP packets included in 
the payload (data portion) of the ICMP packet are 
reversed (step SI) . Then, entries in the management 
database 15 are searched based on the information of 
the IP address and the port number of the IP and the 
10 TCP packets within the payload (data portion) of the 
ICMP packet. Then, the process of each function is 
conducted to the IP address and TCP port number of 
payload of ICMP in step S2 . In step 2a, src-IP in the 
IP header accommodating ICMP packet is also converted 
15 after the process of the function 3 as src-IP address 
after reversal of IP header included in a data part of 
the ICMP and dst-IP in the IP header accommodating ICMP 
packet is also converted after the process of the 
function 4 as dst-IP address after reversal of IP header 
20 included in a data part of the ICMP. 

Next, the contents of the src and the dst 
information of the IP and TCP packets within the payload 
(data portion) of the ICMP packet are reversed. 

As described above, according to the present 
25 invention, an IP router device that guarantees global 
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connectivity which is important as one nature of the 
Internet while adopting a TCP termination mechanism in 
order to make an efficient transmission in a TCP 
connection straddling networks of different natures. 



